1

I'm trying to configure Debian 6.0.4 for massive shared hosting with PHP5. Packages apache2-mpm-worker libapache2-mod-fcgid apache2-suexec are installed.

I successfully loaded mod_vhost_alias and suexec to manage my domains by directory, then I placed this configuration in /etc/apache2/sites-enabled/001-vhostalias:

NameVirtualHost *:80
ServerName web-test.mynet.lan
DocumentRoot /var/www/

SuexecUserGroup www-data www-data    

UseCanonicalName    Off
VirtualDocumentRoot /var/www/www.%2+/public_html/
VirtualScriptAlias /var/www.%2+/cgi-bin/

DirectoryIndex index.html index.htm index.shtml index.php   

ScriptAlias /__php5-cgi/ "/usr/local/lib/custom-cgi/php5-cgi/"
Action php5-script /__php5-cgi/php5-cgi
AddHandler php5-script .php

With this above, p. e., putting online a domain named www.test-a.com needs:

  • an adduser test-a.com (forcing badname)
  • mkdir -p /var/www/www.test-a.com/public_html and putting data
  • files a chmod and a chown and everything works fine...

Without suEXEC I made some simple PHP tests, it works fine as uid/gid www-data. But now I need to enable suEXEC for isolate domains...

The question is: how can I tell to suEXEC to get automatically the right uid/gid?

I'm using the default suEXEC configuration:

root@web-test:/var/www# /usr/lib/apache2/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

But it crashes:

root@web-test:/var/www# tail /var/log/apache2/suexec.log 
[2012-05-05 18:31:48]: cannot run as forbidden uid (33/php5-cgi)
[2012-05-05 18:34:24]: uid: (33/www-data) gid: (33/www-data) cmd: php5-cgi

Note: I previously used apache2-mpm-itk but it's quite unstable after 400-500 VirtualHost definitions, especially it crashes on apache2ctl restart|graceful".

Thanks

Fabio
  • 21
  • 6

2 Answers2

1

I will suggest to use mpm-itk

Package: apache2-mpm-itk
Description: multiuser MPM for Apache 2.2
 The ITK Multi-Processing Module (MPM) works in about the same way as the classical "prefork" module (that is, without threads),
 except that it allows you to constrain each individual vhost to a particular system user. This allows you to run several different
 web sites on a single server without worrying that they will be able to read each others' files. This is a third-party MPM that is
 not included in the normal Apache httpd.

 Please note that this MPM is somewhat less tested than the MPMs that come with Apache itself.

With additional patch you can assign uid/gid dynamically. I'm using such solution about 2 years without any problem.

<VirtualHost *:80>
    ServerName www.example.net
    ServerAlias *.example.net
    UseCanonicalName Off

    VirtualDocumentRoot /vhosts/example.net/%1
    DirectoryIndex index.php index.html

    AssignUserFromPath "^/vhosts/example.net/([^/]+)" mvh_$1 mvh_$1

    <Directory /vhosts/example.net>
        Options -Indexes +Includes
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>
ALex_hha
  • 7,193
  • 1
  • 25
  • 40
0

The SuexecUserGroup directive doesn't seem to support variables, so there's no easy way to do what you want. This mailing list post also says that it isn't possible, and that CGIwrap should be used instead. The only other approach I can think of is to abuse suEXEC's mod_userdir integration and somehow rewrite the requests to a user directory, but this is unlikely to work well.

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • Thanks mgorven. I considered `CGIwrap` too, but it's a bit complex and outdated. Finally I decided to create my own version of `suexec`, patching it from Debian sources. I'm still testing it but I'd like to publish it. There is also a similar commercial version of Suexec from 1H Ltd, but this isn't open source and I think that's a GPL infringement. However look here: http://docs.1h.com/Suexec. – Fabio May 11 '12 at 07:38